Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Obama Administration Says the World's Servers Are Ours

IBitOBear Re:You have this backwards. (749 comments)

Interesting distinctions. Does Microsoft own the servers directly, or through a subsidiary? Is Microsoft a direct participant in the action or just a third party?

If Microsoft is just a third party then their case is very strong.

about 2 months ago
top

Obama Administration Says the World's Servers Are Ours

IBitOBear If it's a "subsidiary" it's within reach. (749 comments)

If it was a Mexican _partner_ you'd be right. If it's a Mexican _subsidiary_ you are wrong.

A "subsidiary" is an owned asset. If you own an asset and it was in Brunei and you are here before the court, the court can order you to surrender that asset because you onw it and you are subject to the law where you are.

I don't have to subpoena you in Brunei if I've got you here.

Your only defense is if Mexican law makes it _illegal_ for you to move or copy the asset. In that case you'd have the "the court cannot require me to break the law" defense, which is not the same as the "it's far away" defense Microsoft is attempting.

For instance, lets say Fidelity (a french company) was required, in French court, to produce my financial records for the purpose of auditing Fidelity for alleged misconduct. And let's say Fidelity didn't want to do so. They could resist the production order under various U.S. laws such as HIPPA if my records incidentally contained medical information.

Likewise, if the E.U. privacy regulations covered some or all of these documents then Microsoft _could_ _have_ argued _that_ against the production order. Same for things like Attourney Client Privilege and any number of other things. I work for a company in the U.S. that is a wholly owned subsidiary of a brittish company. But the brittish crown and court cannot successfully supponea any of our non finincial documents because we do defense work and so U.S. law would prevent the export of that material. But the money stuff is fair game.

So too for paper documents. The "that would be illegal" defense cuts very fine. If the documents were in Afghanistan, and printed on pure marijuana leaf, then you could argue against shipping the original documents here because marijuana is illegal here. But the court could then require you to photocopy or fax the documents here on a more legal paper.

Now people have been talking "warrant" vs "subpoena" and I don't actually know for sure which thing is happening. A demand for surrender (subpoena) is different than a warrant to enter and search. This sounds like a subpoena not a warrant, as a warrant woudln't be served to Microsoft here, it would be processed by the foreign government and would be served _there_ by local law enforcement.

Given all that, "the old paper courts" are no different than the current paper courts. The "on a computer" bit is immaterial.

If Microsoft controls the documents personally, or through an agent, and a "subsidiary" is a kind of agent with lots of legal precident, the documents are fair game unless an actual law in the other jurisdiction says they are not. Paper or not.

The question is one of control not format of storage.

about 2 months ago
top

Obama Administration Says the World's Servers Are Ours

IBitOBear Re:You have this backwards. (749 comments)

If I used a Saudi document escrow or storage service to store my documents, and they stored them in Botswana, there would be at least three jursidictions with the ability to subpoena those documents. Botswana, Saudi Arabia, and Wherever I live (so State of Washington, and U.S.A. federal jurisdictions).

It was _my_ choice to involve the Saudis and they were acting as my agent when they involved Botswana.

Sucks to be me if my documents are not actionable here but against the law there. I got those places involved in my business by doing business with them. That's the nature of actual, personal responsibility.

Really read this sentence: "In essence, President Barack Obama's administration claims that any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas."

This is a core tenant of law. It is the same legal principle that says the U.S. can prevent and punish a U.S. company from shipping heroin and sex slaves from Afghanistan to Brunei because they _are_ a U.S. company. It's also the same reason that a Brunei court can go after the same company.

If I go to mexico I am bound by Mexican _and_ U.S. Law. You can substitute any countries for any countries in this scenario.

This is also why I am mostly untouchable in Utah and Montana since I've never been in Utah, and I drove through Montana once. But that could change if I started a partnership with someone who lived in Utah. That relationship between them and I could bring many of my details under the jurisdiction of the Utah court.

You step in a river, you get water on you. You splash around in business in a particular country, the law of that country will stick.

Microsoft does business here. The dispute is a dispute here. That Microsoft stores the relevant material there, by accident of fate or by purpose of design, doesn't insulate that material from this court.

Where is the dispute, who created the material, and where are they, and where were they when they made the material. These are not very advanced questions.

It's more or less the same reason that a U.S. court can prosecute a U.S. citizen for "sex toruism" if they do the under-aged nasty in a land where that's supposedly okay, because they did it under the tacit protection of the U.S. because they could call their council and embassy via their citizenship and passport etc.

It's very, very hard to wash off a jurisdiction. One of the reasons the Swiss were so useful for so long is that they just wouldn't say what they were holding. Other jurisdictions could hold you responsible for what they could prove you "must have", but they couldn't ever get the swiss to _be_ that proof because they would simply remain silent.

There is no dispute that Microsoft has these documents. There is no dispute that Microsoft is a U.S. company. There is no dispute that the dispute is taking place in the U.S. So Microsoft's claim is _almost_ pro forma. They don't _want_ to cough up the stuff, but they likely have no belief that this defense will work.

Part of what Microsoft sells here is "if they mess with your bull they'll get _our_ horns, so trust us with your stuff". The very fact of the defense, despite its absurdity, is a feather in their cap.

But eventually the documents will be produced.

about 2 months ago
top

Obama Administration Says the World's Servers Are Ours

IBitOBear You have this backwards. (749 comments)

Microsoft is trying the "you can't hold me responsible for yesterday's shooting because the gun is in my other pants" defense.

The law has _always_ held that if you are before the court, everything relevant to the case is before the court.

If this were not the case then the Tobacco and Asbestos companies could have just said "all those meeting minutes and research records are stored in our warehouse in mexico so ha ha, you all lose." Any company or person, on any issue, could just mail the evidence out of state or out of country and get off scott free.

That just never happened.

Just because the evidence is "on a computer" instead of "printed on paper" doesn't make the "other pants" defense viable.

The court is not reaching across a border. Microsoft is _here_. Microsoft does business _here_. The complaint is _here_, and the court is _here_. The proper legal response to "the other pants" gambit is to tell the guy in his shorts to send someone to go get whatever it is from those pants and bring it back.

Criminals don't just "move" their assets to other countries, they "hide" them because if it can be found it's on the table.

Every court. Every country. Every topic. From the beginning of time.

This is no different.

about 2 months ago
top

Obama Administration Says the World's Servers Are Ours

IBitOBear No so much actually. (749 comments)

This isn't a case of the U.S. reaching across a border. Microsoft is _here_. Microsoft is doing business _here_. The court _here_ is ordering microsoft _here_ do produce documents _here_. Microsoft's claims that the docuements are "in their other pants" (e.g. on a server in Ireland) is immaterial because microsoft is _here_ and _microsoft_ owns those documents.

Now _if_ this were a case where a U.S. Court was ordering a company that was not _here_, say an Irish company that was _there_ in Ierland called Irish Pizza Delivery Co. to cough up emails even though they don't do any business here... that would be a huge over-step. That over-step is because they are _there_, or more correctly _not_ _here_, and the court is _here_.

This is _exactly_ the same reason that the U.S. Tobacco companies and Asbestos companies could not dodge legal responsibility by just shipping their money and internal paperwork to south america as soon as people started coughing.

about 2 months ago
top

One In Ten Americans Thinks HTML Is a Type of Sexually Transmitted Infection

IBitOBear Or are bitter and jaded (255 comments)

I know that when I am being data mined I am very likely to pick the funny or ironic answer to any poll. The less intelligent the dumbest option is, the more likely I am to select it. My data is valuable and if you aren't gong to pay a fair price, and you intend to use it to subvert my happiness, I am not likely to go quietly to the slaugter.

I remember some movie where a guy lands in a Gulag and is being forced to make mitten liners. He learns from one of the other guys to sew them shut across the fingers and then hide the sabatoged ones by slipping them into the "already inspected" pile. It is sabatoge and it's faster than making the proper stitch so it's easier to meet the quota.

Lots of people maliciously answer polls and such, or so I suspect, which is why they are such a terrible instrument of governance and polity.

And P.S. if you don't limit people to thinking about tech, well there are _many_ blue species of sting and mant rays, so contextually they might have a point on answering some of those questions. Its that whole ability to read past typos that humans are so gifted with.

So conclusion? Polls suck, they suck slightly more than the pollsters conducting them, um-kay?

about 6 months ago
top

One In Ten Americans Thinks HTML Is a Type of Sexually Transmitted Infection

IBitOBear HTML is an accessory fruit. (255 comments)

The sad truth is that HTML is just an accessory fruit for delivering other seeds of ideas, good and bad. Most of those ideas are capable of hosting infections, particularly DRM, computer viruses, and the kind of porn you wish you could unsee.

about 6 months ago
top

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

IBitOBear The case _for_ goto (231 comments)

The linux kernel is full of gotos. Assembly is bereft blocks and that sort of structure. So "goto" isn't the source of all evil.

Consier this example of the linux goto paradigm below. When taking locks and establsihing component preconditions you can write an optimal routine that does the stepwise creation, and includes the non-conditional cleanup. Then skipping the cleanup if all the parts succede. The example below is trivial, but when it comes to preserving locking orders it solves a hard problem very simply. And if you check out the generated code its very efficent. More so if you hint the compiler that the success case is most likely for each conditional.

So take the simple example and imagine you are building something complex like a network request with data and metadata buffers and the actual request structure itself et al... as the number of parts grow the number of bizarre else conditions you have to use to do stepwise cleanup become bothersome repetitions of code. Its even worse if it's part1 _or_ part2 along with part3 etc. Complexity and repetition of phrases in the elses is plenty of reason to use goto.

complex_thing * hard_thing() {
complex_thing * retval = 0;
thing_pt1 * pt1 = 0;
thing_pt2 * pt2 = 0;
if (pt1 = generate_first()) {
    if (pt2 = generate_last(pt1)) {
        if (retval = generate_final(pt1,pt2)) {
            goto success;
        }
    }
}
if (pt2) cleanup_last(pt2);
if (pt1) cleanup_first(pt1);
success:
return retval;
}

Simply put, there are times when a well-placed goto with a clear purpose and precondition can simplify code and accelerate execution.

Do I use a lot of gotos? no. Probably six C/C++ gotos in the last fifteen years. But when they are the correct tool to use, they can be magical.

about 6 months ago
top

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

IBitOBear Writing safety-aware code _somewhere_ (231 comments)

Since all machine code is potentially brittle, the argument for using "safety aware languages" is itself brittle. For instance, Ada is safe because it doesn't allow deallocation unless you use ada.unchecked_deallocation(), or in the alternate, build nothing on the heap, or just hope that the Ada implementation has garbage collection, or..., or... etc.

_Someone_ has to do the work to protect whatever the brittleness is at issue.

For years I have used "struct Buffer { char * start, char * end};" instead of just char * string. (thing.end-thing.begin) is faster than strlen() and the constraints are always present. I've got a library full of simple bits that make this work (a wrapper around write(2) and read(2) for example).

Bad code can be written in any language. Java is safe? Well kind of, until you start making circles of referencds and losing them. sounds harmless unles there is a task and open socket in that circular reference and you've left a link back to some structure so that the socket is now able to access some nonsense.

The best tools in the worst hands are far worse than the worst tools in the best hands. Yelling for tools is a specious argument. Someone has to do the work, and that someone may well bone the job.

about 6 months ago
top

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

IBitOBear I propose "Snowden" become a active tense op (231 comments)

Snowden:
(v) Adding a bit of code, hardware, or operation you know you shoudln't because an authority requires you do so.
"Hey honey, I'll be late for dinner, I have to snowden the latest release of firefox."

(n) the sneaky bit of intrusive technology
"Hey what's this bit?" "Shhh, that's the snowden."

I know he was the wistleblower, but we should enshrine his deed and the knowledge that this is happening using his name in memoriam.

about 6 months ago
top

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

IBitOBear Definition of "Enough" and "fase dichotomy" (231 comments)

ASIDE: Your point is mute [look up "moot" before attempting correction. 8-) ]. Enough is enough, and any less is not enough. That's the definition of enough.

Consider: "If you eat enough pudding you'll die"... the only test case is to keep eating pudding till you die. If you stop before you die you didn't eat enough. 8-)

Now the point that all eyeballs are not equal is fine and obvious. It only takes one metaphorical eyeball, connected to the correct brain, to find a bug. So one is enough if the rest of the configuration is suitable, and an infinite number are not enough if they lack the context.

The real difference between FOSS and others is not the quality of the eyeballs but the opportunity for the correctly quipped eyeball to fall on the relevant bit. In closed source applications the right post-eyeball configuration would have to first be part of the set of allowed eyeballs, and it would likely have to be actively paid to look for the bug directly or indirectly since the limited herd of eyeballs all have their assignments.

Pretending that the better solution (FOSS IMHO) is unworkable because it's demonstrably imperfect ignores the fact that the far less functional (NON FOSS IMHO) has a demonstrably worse track record. That comparason and derision is just "false dichotomy" and kind of an example of, perhaps, why you aren't the set of eyeballs in charge.

In non-FOSS circumstances virtually all eyeballs lack the context to find and fix problems because they lack access to the source.

So your argument fails because it implicitly argues against exposure, or argues that exposure isn't enough if the right people aren't looking. The failure isn't one of fact but of position. You offer no counter proposal. You are pissing on the model that exists but offering no alternative. In short you are engaged in venting of some sort but you are apparently not one of the set of eyeballs ready to offer solutions.

about 6 months ago
top

Rise of the Warrior Cop: How America's Police Forces Became Militarized

IBitOBear Didn't "run away" from europe... (835 comments)

Actually the "Prutian Sepratists" were kicked out of europe for advocating regicide (trying to get someone to kill the king). They were granted title to what is now Verginia but decided to stay where they made landfall instead (not very good sailors). And they didn't come for freedom of religion, they wanted to set up their very own Jonestown (Guyana). It's right there in their name "puritan sepratists".

We don't necessarily have a thing for fear. We have a thing for authoritarianism.

So dear Europe, the next time you decided to export all your religious wacos, don't sent them all to the same place... it weakens the gene-pool.

There just happens to be a high correlation between fear and republicanism, so they run on the more police, more prisons, and to do so the conservative media bias is deliberately miss-sold as a liberal one. It's a self-perpetuating cycle.

On top of that, criminals all want to be cops, but only the petty criminals can make it though the background check. The cirminals want a taste of the power that previously held them down. So you end up with a lot of well armed, otherwise petty criminals ganged up in one profession exercising their egos.

about a year ago
top

Ask Slashdot: How To Deliver a Print Magazine Online, While Avoiding Piracy?

IBitOBear So ask nicely and don't be a dick. (298 comments)

Seriously, just ask your client base not to copy the mag, and maybe even do "pay what you want". It worked really well for The Humble Bundle.

If the product is good and you treat your customer base well, they will pay. IF you don't they wont.

The people who are going to copy it are not the people you want to care about as customers. Count them for ad revenue (like any other advertisement model, the reader is the product as far as the advertisers are concerned so copying is good from that angle.

You just need to find the sweet spot between universally free distribution (for high advert return) and enough direct sales for it's own sake.

And don't be a dick.

about a year ago
top

What Medical Tests Should Teach Us About the NSA Surveillance Program

IBitOBear Sharpshooter Falacy (107 comments)

You know, when people talk about who was warned about what, they completely forget the sharpshooter falacy. Warn everyone about everyone, then when some one does some one thing you can say "you were warned" because, in the huge pile of everything-squared you can find that nedle in the nedle-stack.

Now all the people who pointed at the nedle demand a bigger nedle-stack full of smaller and smaller nedles.

More signal. But more noise. And more noise per each increment in signal.

And more blame to go around.

There was a song, it has a point. "You have to hold-on loosly but don't let go". There was a movie, and it has a point "the more you tighten your grip the more systems will slip through your fingers." It's like there are all these old aphorisms and they came about for having truth within them. The truth of moderation.

More isn't better, it likely never was.

about a year ago
top

Electronics Arts CEO Ousted In Wake of SimCity Launch Disaster

IBitOBear Re:Schadenfreude (427 comments)

No you wouldn't want to jump from a plane with a solid gold parachute (it'd be too heavy). Golden is a different beast alltogether. A golden parachute could be made out of $20m of rarest silk with all the d-rings made from chocolate diamonds and a harness embroydered with hundreds of untraceable swiss bank account numbers.

In one of the Books of the Malazans series there was a town where, should you default on an obligation the holder of that obligation could decide to to make you swim across the local harbor with bearing the amount of your default strapped to your body in gold. It cost the owed party twice the amount (e.g. his cash out of pocket and the money he'd never get from you) but people were very unlikely to default on obligations. Plus the creditor coudl often make his money back on the side bets for how long it took you to drown... Now _that_ woudl be a system for exiting CEOs.

about a year and a half ago
top

U.S. Reps Chu and Coble Start Intellectual Property Caucus

IBitOBear Be Serious (150 comments)

This "represetation of the artists" will be the DRM and studios... I get your point about the public domain, but who is going to represent the _actual_ artists and other creatives?

about a year and a half ago
top

U.S. Reps Chu and Coble Start Intellectual Property Caucus

IBitOBear Re:And who will represent the people? (150 comments)

Stupider than that... grandparent says "GOP aka Republicans"... so not only does he not know what the GOP is, he was unable to read the whole post.

about a year and a half ago
top

SSH Password Gropers Are Now Trying High Ports

IBitOBear more on point (349 comments)

since fail2ban would ban the entire NAT(ed) other office if one actor there were to fail-out from a host in that office, it suffers from the same "short coming" as my script in general, and if you know that some particular shop somewhere is behind a nat, why wouldn't you then white-list that address anyway? e.g. using fail2ban is a good way to let one noob at (remote office) lock out everyone at (remote office). Just because it _hasn't_ happened to you yet doesn't mean that you are ready for the case when it does.

That's a real wizzer of a solution there bob...

If you don't already have white-lists (and preferably VPNs) between known good sites you are just a denial-of-service or "I can't remember my password with this hangover" event away from the theoretical firing anyway.

Again, if you don't know how to apply your tools then all solutions that you don't already think are super-duper will seem suspect. Since you don't seem to know the weaknesses of your current solution, and you improperly apply your "wisdom" as analysis of _my_ solution, you are proved doubly wrong.

Cookbook fail to you, good sir...

(P.S. I know, and point out, that the good and bad attempts are counted in the limit. There are reasons. That those reasons don't apply to your case doesn't make _me_ wrong, it makes _you_ short-sighted for assuming that what doesn't work for your case can't possibly be correct for anyone. 8-)

about a year and a half ago
top

SSH Password Gropers Are Now Trying High Ports

IBitOBear The reason(s) for this constructon (349 comments)

While I do use this at home, I also use it on a number of forward facing servers for business purposes (usually with different thresholds and numbers). I spend very little time at "my desk" so the ability to know that I will always have a computer with a pre-shared key available is quite limited. If I am, say, at a hangar at an airfield and I get an emergency call to check on a host, I can ssh to my own (unprivileged) account and elevate my privileges thereafter. So I, and my very few alternates, can respond from anywhere with no chance of leaking meaningful key material as one might if they tried to match up known/authorized keys (and USB sticks are verboten in many of the places I find myself).

In that usage pattern, if I ended up having to ssh in more than five times in a single hour then things are really not right. (and if I knew that sort of thing was going to happen I _could_ always tweak the rule, but I more often use the multi-session ControlPath etc options to side-step the 5-per-hour limit if larger maintenance comes to the front).

That is, I limit the connections pass-or-fail, because it matches the expected (sparse) use pattern and so also limits the ability of a compromised machine I might use as a source box from spanning into the target machine. For instance I can use a source host and then invalidate it by making a couple extra connections so if, say, I have to use an internet cafe (it's never happened, but it might) or hotel computer or whatever, I can keep a clever follower-on from using a key-logger or whatever, from just using the link agian. [granted he could use the information from a different computer etc and I have other means for dealing with that sort of thing (locking the access account after use until I can get somewhere secure and change the password; single-use passwords on some systems, etc), but in terms of a quick access and then block, this works well.]

Different access models require different tools. Being able to ssh in from just about anywhere has come up as useful. Having several useful ways of closing that door, or having it slammed shut perforce, after the valid use are also important levels in any paradigm.

Also, if you reuse the named recent table (e.g. "bad_actors" in this example) [or indeed a whole chain if it's not SSH specific if you replace "ACCEPT" with "RETURN"] in different rules you can easily catch a machine on its very first port-scan or on a single attempt to reach a service you know you don't offer (like SMB service) and drop it into the named table. This lets the co-variants of the one rule "gang up" on the bad actor from different parts of your rule set without invoking expensive external processes. For instance if you also --set an IP address as a bad_actor for sending you a SYN/FIN or a broadcast ping then that one host doesn't get to double or triple dip your security.

about a year and a half ago
top

SSH Password Gropers Are Now Trying High Ports

IBitOBear Re:Better than that... (349 comments)

I would expect to be called on shortcomings... But that didn't happen... Someone who didn't bother to understand the code mis-applied it to his situation and then called that misapplication for being flawed.

See, I responded in a conversational chain about "brute forcing a key" with a basic structure on how to blacklist a brute force attempt source. (and in two other places I did paste the same code since Slashdot doesn't let you easily fold sub-topics, but in each case the conversation was slightly different.)

Now at no time did I say "this will solve all your problems or address all your issues". For example one of the "short-comings" was about logging and the other involved use _inside_ a VPN where connection rates would be intentionally much higher. Neither is a real short-coming as people with even trivial knowledge of program flow and iptables in general would know how to deal with both situations. Things like picking the network interfaces to apply the rules to, and fully understanding that where rules are not desired, they should not be applied. (it's kind of no-duh that way, life). [In fact, if you look at the command I use "ext+" (instead of the default "eth+" et al.) as the interface, which is completely non-standard to deter "cut and paste" application and encourage thought about how the model might be used.

Logging is another issue wholly. Most people collect _way_ more logs than they should and then end up losing their important information in a flood of data. [ASIDE: this is why Gestaltism failed and the Scientific Method came to prominence.] It _shouldn't_ take much brain at all to figure out the various ways that logging would dress onto the skeleton above. On systems with high logging standards I usually replace most-or-all "ACCEPT" rules with a jump to an accept chain that contains uniform "success" logging (e.g. see LOG target --log-prefix element). I like to put failure logging at "the point of failure detection", and only one fail notice, so that I don't have to fish through repeats. Then I let tools (like the way the "recent" match stores the date/time of encounters) do their jobs rather than spending a lot of CPU to re-chew raw logs for no flipping reason at all. [Mil-spec sites will, clearly, have other requirements, which are solved by other means.]

As for the Condescension. That too is a useful tool, applied quite carefully in this case, that makes people think and re-read instead of reflex flame. Now you have jumped valiantly to the defense of some clod, and I decry you for that, because you have amplified his mistake with your opprobrium. This makes you more wrong than him. You have stepped in as arbiter of form with disregard to content. You are pure noise with no signal whatsoever. your single data point is my *horror* repetition of the code in other contexts. You got me. I am willing to put the same idea in front of more than one subset of a conversation. How this must wound the internet, and confuse it beyond its ability to cope. The internet has never seen repetition so foul as I have done here.... oh wait....

I do indeed condescend, to him, and to you. His histrionic, left-handed, and unsupported assertion (q.v. "I would be fired if...") set the tone for what followed and I was willing in whole to treat with him on his terms. Your yappy-dog, I want to seem important too, infantile insertion was not even up to the low bar we were dancing above. Oh good show to you find tagger-along. You have wounded me to the quick with your amazing and subtle support of his shortsightedness. Bravo!

If you don't understand why littering a design pattern/example with noise is just plain bad instruction, perhaps you should retire from the field and take up something that better suits your cook-book-only, can't be bothered to think, self-limiting mentality.

about a year and a half ago

Submissions

top

IBitOBear IBitOBear writes  |  more than 7 years ago

IBitOBear writes "It seems that every web site these days wants me to provide answers to "security questions". Most of these questions are not that unique (mother's maiden name), some are unlikely (name of the person I went to prom with), more are just unanswerable (mother's youngest sibling if she's an only child), and some sites are just plain broken (one site recently wanted the city of my birth, but wouldn't allow spaces in the response, and I guarantee that when it comes time to answer I'll forget it was all crammed together just on that site). In terms of practical security this seems like a fad with no substance. When one site did it, it was "clever", but now that they all know my mother's maiden name aren't I _LESS_ secure? It seems like these questions really just serve as second and third password prompts, except that if I answer them honestly the resulting passwords are generally something a bad actor could find out pretty easily. There is typically no "opt-out" of these "added security features" and some sites will let you see your previous answers, so if the cracker gets in there he gets bonus information about you. Aside from inventing a fake personal history for each site, what or where are my options? This _feels_ like the web site equivalent of banning hair-gel from airplanes. I know enough about information theory that I feel more exposed under my new Friendly Security Questions overlords. Anybody see any practical solution aside from going all Luddite?"
top

IBitOBear IBitOBear writes  |  about 8 years ago

IBitOBear writes "A couple days ago I did "the interview loop" at that leading online retailer. Over the course of six hours I was repeatedly introduced to a guy in his early twenties, who would then ask me to write out code on a white-board for a problem that you might find in the study guide for a 200-level computer science class. I have 20 years of experience in programming and systems design. And in several cases the interviewers were vague, semantically incorrect, or self-contradictory. Interviewer blunders included not understanding that non-normal forms in databases can be more correct or efficient when the domain of a data is extremely limited; or choosing a leader amongst N candidates is a byzantine agreement problem. In short, the loop would have been perfect to weed out some guy getting his first job fresh out of school, but it definitely exerted selection pressure towards excluding experienced candidates. So employers, what are you doing to make sure that you are not culling out candidates with the low-ball? And job seekers, what do you do when you find yourself trapped in a sophomore study group?"

Journals

top

TCP Shaper Script

IBitOBear IBitOBear writes  |  more than 6 years ago #!/bin/bash
### BEGIN INIT INFO
# Provides:          shaper
# Required-Start:    firewall
# Required-Stop:     firewall
# Default-Start:     S
# Default-Stop:      0 6
# Short-Description: Shape traffic on interfaces.
### END INIT INFO

# init script written by shane at knowplace dot org
# this script only creates the qdiscs and classes required for shaping, it
# does NOT create the necessary filters

# modified by Rob White rwhite at pobox dot com
#   mostly to take the link speed as an argument

INTERFACE='eth1'
declare -i INTERFACE_SPEED=768
declare -i BURST=1200
declare -i CBURST=1500

rc_done="  done"
rc_failed="  failed"

declare -i  CEILING=$((INTERFACE_SPEED * 98 / 100))
declare -i  COUNTER
declare -ai WEIGHT=(2 2 2 2 2)
declare -i  SLOTS=${#WEIGHT[@]}
declare -i  AGGREGATE=0
for ((COUNTER=0; COUNTER<SLOTS; ++COUNTER)) do
   AGGREGATE=$((AGGREGATE+WEIGHT[COUNTER]))
done
AGGREGATE=$((AGGREGATE+1))
declare -ai SHARE
declare -i  USED=0

for ((COUNTER=0; COUNTER<SLOTS; ++COUNTER)) do
   USED=$(( USED + (SHARE[$COUNTER]=(CEILING * ${WEIGHT[$COUNTER]} / AGGREGATE)) ))
done
SHARE[$COUNTER]=$(( INTERFACE_SPEED - USED))

declare -i BURST_CEILING=$((CEILING * 100 / 100))
#declare -i BURST_CEILING=$CEILING

return=$rc_done

TC='/sbin/tc'

tc_reset ()
{
        # Reset everything to a known state (cleared)
        $TC qdisc del dev $INTERFACE root 2> /dev/null > /dev/null
}

tc_status ()
{
    echo "[qdisc - $INTERFACE]"
    $TC -s qdisc show dev $INTERFACE
    echo "------------------------"
    echo
    echo "[class - $INTERFACE]"
    $TC -s class show dev $INTERFACE
}

tc_showfilter ()
{
    echo "[filter - $INTERFACE]"
    $TC -s filter show dev $INTERFACE
}

case "$1" in

    start)
        echo -n "Starting traffic shaping"
        tc_reset
        U320="$TC filter add dev $INTERFACE protocol ip parent 1:0 prio 0 u32"
        #
        # dev eth0 - creating qdiscs & classes
        #
        $TC qdisc add dev $INTERFACE root handle 1: htb default $((${#SHARE[@]}+1))0
        $TC class \
            add dev $INTERFACE \
            parent 1: classid 1:1 \
            htb rate ${CEILING}kbps \
                ceil ${BURST_CEILING}kbps \
                ${BURST:+burst ${BURST}b} \
                ${CBURST:+cburst ${CBURST}b}
        for ((COUNTER=0; COUNTER < (${SLOTS} + 1); ++COUNTER)) do
           HANDLE=$((COUNTER+1))0
           $TC class \
               add dev $INTERFACE \
               parent 1:1 classid 1:$HANDLE \
               htb rate ${SHARE[$COUNTER]}kbps \
                   ceil ${BURST_CEILING}kbps \
                   ${BURST:+burst ${BURST}b} \
                   ${CBURST:+cburst ${CBURST}b} \
                   prio $COUNTER
           $TC qdisc \
               add dev $INTERFACE \
               parent 1:$HANDLE \
               handle $HANDLE: \
               sfq perturb 6
        done
        tc_status
        ;;

     stop)
        echo -n "Stopping traffic shaper"
        tc_reset || return=$rc_failed
        echo -e "$return"
        ;;

    restart|reload)
        $0 stop && $0 start || return=$rc_failed
        ;;

    stats|status)
        tc_status
        ;;

    filter)
        tc_showfilter
        ;;

    *)
        echo "Usage: $0 {start|stop|restart|stats|filter}"
        exit 1

esac
test "$return" = "$rc_done" || exit 1

top

Firewall Script

IBitOBear IBitOBear writes  |  more than 6 years ago #!/bin/bash -e
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    networking
# Required-Stop:     networking
# Default-Start:     S
# Default-Stop:      0 6
# Short-Description: Secures interfaces.
### END INIT INFO

#################################################################################
#
# IPTABLES Firewall v 0.86
# by shadow999@firemail.de
#
# Small parts from http://members.optusnet.com.au/~technion/
# and some tutorials
#
# This script is intended to setup a masquerading firewall based on
# the IPTABLES (Net)filter-machanism of Linux 2.3.15+
# Syslogging matches fireparse for graphical output (see http://www.fireparse.com)
#
# Normally this script will work 'out-of-the-box', but you should adapt it to
# your own needs (At least you should set the correct default interfaces
# --> see Default-Interfaces section)
#
# Comments, suggestions, etc. are welcome
#
# Usage on your own risk ;)
#
# Syntax to invoke script: firewall (start|stop|restart|status) EXTIF INTIF
# Example: "firewall start eth1 eth0"
#
#################################################################################
#
# Version History:
#
# 0.86: Added a few comments
#
# 0.85: Various re-arrangements
#       Added TCP-SYN-flood protection
#       Added separate logging of pingfloods
#       Added automatic detection of parameters on internal interface
#       Made flooding-parameters variable
#
# 0.84: Added special ICMP-Filtering
#
# 0.83: Added ICMP-logging-chain
#       Some minor changes
#
# 0.82: Reorganized parts of the script
#       Added special user-chains
#
# 0.80: Altered logging strings to match fireparse
#
# 0.78: Added many comments
#       Completed flushing of tables (missing -X)
#
# 0.75: Added automatic detection of IP-address, gateway, etc of external interface
#
# 0.7: Added new logging-chains
#
# 0.65: Added special sanity checks for TCP-Flags
#       Silently filter out SMB-traffic
#       Removed unclean-checks (according to some docs still unstable)
#
# 0.6: Major redesign of whole script, divided into chain-sections
#
# 0.5: Adopted parts of firewall-script from http://members.optusnet.com.au/~technion/
#      Minor changes
#
#
########################################################################################

# This is the location of the iptables command
IPTABLES="/sbin/iptables"

case "$1" in
   stop)
      echo "Shutting down firewall..."
      $IPTABLES -F
      $IPTABLES -F -t mangle
      $IPTABLES -F -t nat
      $IPTABLES -X
      $IPTABLES -X -t mangle
      $IPTABLES -X -t nat

      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -P FORWARD ACCEPT
      echo "...done"
      ;;
   status)
      echo $"Table: filter"
      $IPTABLES --list
      echo $"Table: nat"
      $IPTABLES -t nat --list
      echo $"Table: mangle"
      $IPTABLES -t mangle --list
      ;;
   restart|reload)
      $0 stop
      $0 start
      ;;
   start)
    echo "Starting Firewall..."
    echo ""

##--------------------------Begin Firewall---------------------------------##

#----Default-Interfaces-----#

## Default external interface (used, if EXTIF isn't specified on command line)
DEFAULT_EXTIF="eth1"

## Default internal interface (used, if INTIF isn't specified on command line)
DEFAULT_INTIF="eth0"

#----Special Variables-----#

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
XWINPORTS="6000:6063"

# Ports for IRC-Connection-Tracking
IRCPORTS="6665,6666,6667,6668,1024,1025,1026,1027"

#-----Port-Forwarding Variables-----#

#For port-forwarding to an internal host, define a variable with the appropriate
#internal IP-Address here and take a look at the port-forwarding sections in the FORWARD +
#PREROUTING-chain:

#These are examples, uncomment to activate

#IP for forwarded Battlecom-traffic
#BATTLECOMIP="192.168.0.5"

#Bittorrent Computer
BITTORRENT=192.168.10.10
BITTPORT=57981

MONOTONE=192.168.10.10
MONOTONEPORT=4691

#Vonage
VONAGEIP=192.168.10.6
VONAGEPORTS=10000:20000

#Blizzard Downloader
BLIZZARD_DEST=192.168.10.95
BLIZZARD_PORTS=3724,6112,6881:6999
#BLIZZARD_PORTS=3724

#IP for forwarded HTTP-traffic
HTTPIP="192.168.10.250"

#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"

#----Automatically determine infos about involved interfaces-----#

### External Interface:

## Get external interface from command-line
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
if [ "x$2" != "x" ]; then
   EXTIF=$2
else
   EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF

## Determine external IP
EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$EXTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $EXTIF !"
     exit 1
  fi
echo External IP: $EXTIP

## Determine external gateway
EXTGW=`route -n | grep '0.0.0.0' | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW

echo " --- "

### Internal Interface:

## Get internal interface from command-line
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
   INTIF=$3
else
   INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF

## Determine internal IP
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$INTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $INTIF !"
     exit 1
  fi
echo Internal IP: $INTIP

## Determine internal netmask
INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK

## Determine network address of the internal network
INTLAN=$INTIP'/'23
echo Internal LAN: $INTLAN

echo ""

#----Load IPTABLES-modules-----#

#Insert modules- should be done automatically if needed

#If the IRC-modules are available, uncomment them below

echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "

#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#----Set network sysctl options-----#

echo "Setting sysctl options"

#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/${EXTIF}/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 1 > /proc/sys/net/ipv4/tcp_sack
echo 1 > /proc/sys/net/ipv4/tcp_timestamps

#Ignore icmp echo (ping) broadcast events
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo " --- "

echo "Creating user-chains"

#----Create logging chains-----#

##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding
##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com)

#Invalid packets (not ESTABLISHED,RELATED or NEW)
        $IPTABLES -N LINVALID
        $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=INVALID:1 a=DROP "
        $IPTABLES -A LINVALID -j DROP

#TCP-Packets with one ore more bad flags
        $IPTABLES -N LBADFLAG
        $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=BADFLAG:1 a=DROP "
        $IPTABLES -A LBADFLAG -j DROP

#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
        $IPTABLES -N LSPECIALPORT
        $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SPECIALPORT:1 a=DROP "
        $IPTABLES -A LSPECIALPORT -j DROP

#Logging of possible TCP-SYN-Floods
        $IPTABLES -N LSYNFLOOD
        $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SYNFLOOD:1 a=DROP "
        $IPTABLES -A LSYNFLOOD -j DROP

#Logging of possible Ping-Floods
        $IPTABLES -N LPINGFLOOD
        $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=PINGFLOOD:1 a=DROP "
        $IPTABLES -A LPINGFLOOD -j DROP

#All other dropped packets
        $IPTABLES -N LDROP
        $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=DROP "
        $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=DROP "
        $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=DROP "
        $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=DROP "
        $IPTABLES -A LDROP -j DROP

#All other rejected packets
        $IPTABLES -N LREJECT
        $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=REJECT "
        $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=REJECT "
        $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=REJECT "
        $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=REJECT "
        $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
        $IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
        $IPTABLES -A LREJECT -j REJECT

#----Create Accept-Chains-----#

#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

        $IPTABLES -N TCPACCEPT
        $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
        $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
        $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

#----Create special User-Chains-----#

#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

        $IPTABLES -N CHECKBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG

#FILTERING FOR SPECIAL PORTS

        #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

                #SMB-Traffic
                $IPTABLES -N SMB

                $IPTABLES -A SMB -p tcp --dport 137 -j DROP
                $IPTABLES -A SMB -p tcp --dport 138 -j DROP
                $IPTABLES -A SMB -p tcp --dport 139 -j DROP
                $IPTABLES -A SMB -p tcp --dport 445 -j DROP
                $IPTABLES -A SMB -p udp --dport 137 -j DROP
                $IPTABLES -A SMB -p udp --dport 138 -j DROP
                $IPTABLES -A SMB -p udp --dport 139 -j DROP
                $IPTABLES -A SMB -p udp --dport 445 -j DROP

                $IPTABLES -A SMB -p tcp --sport 137 -j DROP
                $IPTABLES -A SMB -p tcp --sport 138 -j DROP
                $IPTABLES -A SMB -p tcp --sport 139 -j DROP
                $IPTABLES -A SMB -p tcp --sport 445 -j DROP
                $IPTABLES -A SMB -p udp --sport 137 -j DROP
                $IPTABLES -A SMB -p udp --sport 138 -j DROP
                $IPTABLES -A SMB -p udp --sport 139 -j DROP
                $IPTABLES -A SMB -p udp --sport 445 -j DROP

        #Inbound Special Ports

                $IPTABLES -N SPECIALPORTS

                #Deepthroat Scan
                $IPTABLES -A SPECIALPORTS -p  tcp --dport 6670 -j LSPECIALPORT

                #Subseven Scan
                $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT

                #Netbus Scan
                $IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT

                #Back Orifice scan
                $IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT

                #X-Win
                $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS  -j LSPECIALPORT

                #Hack'a'Tack 2000
                $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT

#ICMP/TRACEROUTE FILTERING

        #Inbound ICMP/Traceroute

                $IPTABLES -N ICMPINBOUND

                #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
                #
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

                #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

                #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

                #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP

                #Allow all other ICMP in
                $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT

        #Outbound ICMP/Traceroute

                $IPTABLES -N ICMPOUTBOUND

                #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP

                #Block ICMP-TTL-Expired
                #MS Traceroute (MS uses ICMP instead of UDp for tracert)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP

                #Block ICMP-Parameter-Problem
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP

                #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

                #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP

                ##Accept all other ICMP going out
                $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT

########
# Throttle SSH connections by host
#    to prevent brute force attacks
########
    $IPTABLES --new-chain SSHTHROTTLE
    $IPTABLES --flush SSHTHROTTLE
    $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --seconds $(( 3600 * 18)) --update -j DROP
    $IPTABLES --append SSHTHROTTLE --match limit --limit 3/hour -j RETURN
    $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --set -j DROP

#----End User-Chains-----#

echo " --- "

#----Start Ruleset-----#

echo "Implementing firewall rules..."

#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################

##GENERAL Filtering

  # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
  $IPTABLES -A INPUT -m state --state INVALID -j LINVALID

  # Check TCP-Packets for Bad Flags
  $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG

##Packets FROM FIREWALL-BOX ITSELF

  #Local IF
  $IPTABLES -A INPUT -i lo -j ACCEPT
  #
  #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)
  $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT

##Packets FROM INTERNAL NET

##Allow unlimited traffic from internal network using legit addresses to firewall-box
##If protection from the internal interface is needed, alter it

  $IPTABLES -A INPUT -i ! $EXTIF -s $INTLAN -j ACCEPT

  #Allow Local DHCP Service Nonsense
  $IPTABLES -I INPUT -i ! $EXTIF -p udp -s 0.0.0.0 -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT

  #Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter)
  $IPTABLES -A INPUT -s $INTLAN -j LREJECT

##Packets FROM EXTERNAL NET

## DHCP Server on ISP's Site
  $IPTABLES -I INPUT -i $EXTIF -p udp -s 0.0.0.0 -d 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
  if [ -f /var/lib/dhcp3/dhclient.${EXTIF}.leases ]; then
        DHCPSID=$(grep dhcp-server-identifier /var/lib/dhcp3/dhclient.${EXTIF}.leases | tail --lines=1 | sed --expression='s;.* \([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*;\1;')
        echo $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT
        $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT
  fi

##ICMP & Traceroute filtering

  #Filter ICMP
  $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND

  #Block UDP-Traceroute
  $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP

##Silent Drops/Rejects (Things we don't want in our logs)

  #Drop all SMB-Traffic
  $IPTABLES -A INPUT -i $EXTIF -j SMB

  #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset

##Public services running ON FIREWALL-BOX (comment out to activate):

  # ftp-data
  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 20 -j TCPACCEPT

  # ftp
  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 21 -j TCPACCEPT

  # ssh
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --syn -j SSHTHROTTLE
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --match state --state NEW -j TCPACCEPT

  #telnet
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT

  # smtp
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j TCPACCEPT

  # DNS
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT

  # http
  # $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT

  # https
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT

  # POP-3
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT

##Separate logging of special portscans/connection attempts

  $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS

##Allow ESTABLISHED/RELATED connections in

  $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT

##Catch all rule
  $IPTABLES -A INPUT -j LDROP

##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################

##Packets TO FIREWALL-BOX ITSELF

  #Local IF
  $IPTABLES -A OUTPUT -o lo -j ACCEPT

##Packets TO INTERNAL NET

  #Allow unlimited traffic to internal network using legit addresses
  $IPTABLES -A OUTPUT -o ! $EXTIF -d $INTLAN -j ACCEPT

##Packets TO EXTERNAL NET

##NTP
  $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport ntp --dport ntp -j ACCEPT

##ICMP & Traceroute

  $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND

##Silent Drops/Rejects (Things we don't want in our logs)

  #SMB
  $IPTABLES -A OUTPUT -o $EXTIF -j SMB

  #Ident
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset

##Public services running ON FIREWALL-BOX (comment out to activate):

  # ftp-data
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 20 -j ACCEPT

  # ftp
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 21 -j ACCEPT

  # ssh
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 8193 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

  #telnet
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT

  # smtp
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

  # DNS
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT

  # http
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

  # https
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

  # POP-3
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

  # DHCP Server on ISP's Site
  $IPTABLES -A OUTPUT -o $EXTIF -p udp  --sport 68 --dport 67 --source 0.0.0.0 --destination 255.255.255.255 -j ACCEPT
  if [ -f /etc/dhcpc/dhcpcd-${EXTIF}.info ]; then
        DHCPSID=$(grep DHCPSID /etc/dhcpc/dhcpcd-${EXTIF}.info | awk -F= '{print $2}')
        $IPTABLES -A OUTPUT -o $EXTIF -p udp  --sport 68 --dport 67 --destination $DHCPSID -j ACCEPT
  fi

  # DHCP Server inside Firewall Box
        $IPTABLES -A OUTPUT -o ! $EXTIF -p udp  --sport 67 --dport 68 -j ACCEPT

##Accept all tcp/udp traffic on unprivileged ports going out

  $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT

##Catch all rule

$IPTABLES -A OUTPUT -j LDROP

####################
## FORWARD-Chain  ## (everything that passes the firewall)
####################

##GENERAL Filtering

  # optimal forwarding rates
  $IPTABLES -A FORWARD -i ! $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -m state --state NEW -j ACCEPT

  #Kill invalid packets (not ESTABLISHED, RELATED or NEW)
  $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID

  # Check TCP-Packets for Bad Flags
  $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG

  # Bad Broadcasting
  $IPTABLES -A FORWARD -d 255.255.255.255 -j DROP
  $IPTABLES -A FORWARD -d 192.168.10.0 -j DROP
  $IPTABLES -A FORWARD -d 192.168.11.0 -j DROP

  # Spoofing
  $IPTABLES -A FORWARD -i $EXTIF -s 192.168.10.0/23 -j LDROP

  ##Silent Drops/Rejects (Things we don't want in our logs)

   #SMB
   $IPTABLES -A FORWARD -o $EXTIF -j SMB
   $IPTABLES -A FORWARD -p tcp -m multiport --destination-ports 137,138,139,445 -j DROP
   $IPTABLES -A FORWARD -p udp -m multiport --destination-ports 137,138,139,445 -j DROP

##Filtering FROM INTERNAL NET

  ##Special Drops/Rejects
   # - To be done -

  ##Filter for some Trojans communicating to outside
   # - To be done -

  ##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)

   #HTTP-Forwarding
   #$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 80 -j ACCEPT

  ##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
  $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT

  ##Allow non-external nets to talk to each other, q.v. wireless to wired "internal" networks
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT

##Filtering FROM EXTERNAL NET

  ##Silent Drops/Rejects (Things we don't want in our logs)

   #SMB Handled Above
   #$IPTABLES -A FORWARD -i $EXTIF -j SMB

  ##Allow replies coming in
  $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -m state --state RELATED -j ACCEPT

##Port-Forwarding [inbound] (--> Also see chain PREROUTING)

  #HTTP-Forwarding
  $IPTABLES -A FORWARD -i $EXTIF -p tcp -d $HTTPIP --dport 80 -j ACCEPT

  #Battlecom-Forwarding
  #$IPTABLES -A FORWARD -p tcp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT
  #$IPTABLES -A FORWARD -p udp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT
  #$IPTABLES -A FORWARD -p tcp --dport 47624 -i $EXTIF -d $BATTLECOMIP -j ACCEPT

  $IPTABLES -A FORWARD -p tcp --dport $BITTPORT -i $EXTIF -d $BITTORRENT -j ACCEPT
  $IPTABLES -A FORWARD -p udp --dport $BITTPORT -i $EXTIF -d $BITTORRENT -j ACCEPT
  $IPTABLES -A FORWARD -p tcp --dport $MONOTONEPORT -i $EXTIF -d $MONOTONE -j ACCEPT

  $IPTABLES -A FORWARD -p udp --dport $VONAGEPORTS -i $EXTIF -d $VONAGEIP -j ACCEPT

  $IPTABLES -A FORWARD -p tcp --match multiport --destination-ports $BLIZZARD_PORTS -i $EXTIF -d $BLIZZARD_DEST -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -d $BLIZZARD_DEST -p tcp --match multiport --destination-ports $BLIZZARD_PORTS --match state --state NEW -j ACCEPT

##Catch all rule/Deny every other forwarding

$IPTABLES -A FORWARD -j LDROP

################
## PREROUTING ##
################

##Port-Forwarding (--> Also see chain FORWARD)

  ##NTP
   $IPTABLES -A PREROUTING -t nat -i ! $EXTIF -p udp --destination-port ntp -j REDIRECT

  ##HTTP
  $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp -d $EXTIP --dport 80 -j DNAT --to $HTTPIP

  ##Battlecom
  #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP
  #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP
  #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 47624 -i $EXTIF -j DNAT --to $BATTLECOMIP:47624

  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT
  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT

  ##Monotone
  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port $MONOTONEPORT -i $EXTIF -j DNAT --to $MONOTONE:$MONOTONEPORT

  ##Vonage
  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $VONAGEPORTS -i $EXTIF -j DNAT --to $VONAGEIP

  ##Blizzard
  $IPTABLES -t nat -A PREROUTING --destination   $EXTIP --in-interface   $EXTIF -p tcp --tcp-flags SYN,ACK,FIN,RST SYN --match multiport --destination-ports $BLIZZARD_PORTS -j DNAT --to $BLIZZARD_DEST

###################
##  POSTROUTING  ##
###################

  #Masquerade from Internal Net to External Net
  $IPTABLES -A POSTROUTING -t nat --out-interface $EXTIF -j SNAT --to-source $EXTIP

  # Initial Shape Classifier
  # gIive "overhead" packets highest priority
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -j CLASSIFY --set-class 1:60
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:68 -m state --state ESTABLISHED,RELATED -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10
  #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10
  #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL FIN -j CLASSIFY --set-class 1:10
  # interactive SSH traffic and UDP gaming
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:20
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF --source $VONAGEIP -p udp -j RETURN
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:30
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20
  # interactive mail or web traffic
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --dport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --sport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30
  # dns lookups
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport domain -j CLASSIFY --set-class 1:30
  # ICMP
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p icmp -m length --length 28:1500 -m limit --limit 2/s --limit-burst 5 -j CLASSIFY --set-class 1:40
  # bulk traffic
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 101: -j CLASSIFY --set-class 1:50
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 101: -j CLASSIFY --set-class 1:50
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport 25 -j CLASSIFY --set-class 1:50
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport 6667 -j CLASSIFY --set-class 1:50

ip6tables -P FORWARD DROP

#------End Ruleset------#

echo "...done"
echo ""

echo "--> IPTABLES firewall loaded/activated <--"

##--------------------------------End Firewall---------------------------------##

   ;;
   *)
      echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
      exit 1
esac

exit 0

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>